28 lines
856 B
YAML
28 lines
856 B
YAML
title: Powershell Suspicious Win32_PnPEntity
|
|
author: frack113
|
|
date: 2021/08/23
|
|
description: Adversaries may attempt to gather information about attached peripheral
|
|
devices and components connected to a computer system.
|
|
detection:
|
|
SELECTION_1:
|
|
ScriptBlockText: '*Win32_PnPEntity*'
|
|
condition: SELECTION_1
|
|
falsepositives:
|
|
- admin script
|
|
id: b26647de-4feb-4283-af6b-6117661283c5
|
|
level: low
|
|
logsource:
|
|
category: ps_script
|
|
definition: EnableScriptBlockLogging must be set to enable
|
|
product: windows
|
|
modified: 2021/10/16
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1120
|
|
yml_filename: powershell_suspicious_win32_pnpentity.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
|
|
|